Cisco Cisco Email Security Appliance C390 Mode D'Emploi
11-9
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 11 Data Loss Prevention
•
Content Matching Classifier. The next level is the content matching classifier, which scans an
outgoing message and its attachments and headers for sensitive information, such as credit card data
or other personal information. A classifier contains a number of detection rules along with context
rules that impose additional requirements. As an example, consider the Credit Card Number
classifier developed by RSA. This classifier not only requires that the message contains a text string
that matches a credit card number pattern, but that it also contains supporting information such as
an expiration date, a credit card company name (Visa, AMEX, etc.), or a person’s name and address.
Requiring this additional information results in more accurate verdicts of a message’s content,
leading to less false positives. A DLP violation occurs when a classifier detects sensitive information
in a message.
outgoing message and its attachments and headers for sensitive information, such as credit card data
or other personal information. A classifier contains a number of detection rules along with context
rules that impose additional requirements. As an example, consider the Credit Card Number
classifier developed by RSA. This classifier not only requires that the message contains a text string
that matches a credit card number pattern, but that it also contains supporting information such as
an expiration date, a credit card company name (Visa, AMEX, etc.), or a person’s name and address.
Requiring this additional information results in more accurate verdicts of a message’s content,
leading to less false positives. A DLP violation occurs when a classifier detects sensitive information
in a message.
•
DLP Policy. At the highest level is a DLP policy, which consists of a set of conditions, as well as an
assigned message action. The conditions include classifiers for a message’s content and tests for
message metadata, such as the sender, the recipient, or an attachment file type. The message action
specifies both the overall action to take on messages (deliver, drop, or quarantine) and secondary
actions such as encrypting the message, altering the header, and sending notifications to members
of your organization.
assigned message action. The conditions include classifiers for a message’s content and tests for
message metadata, such as the sender, the recipient, or an attachment file type. The message action
specifies both the overall action to take on messages (deliver, drop, or quarantine) and secondary
actions such as encrypting the message, altering the header, and sending notifications to members
of your organization.
You define your organization’s DLP policies in the DLP Policy Manager and then enable the DLP
policies in your outgoing mail policies. The appliance scans outgoing messages for DLP policy
violations after the Outbreak Filters stage of the “work queue.” AsyncOS also provides the DLP
Assessment Wizard to guide you through setting up the most popular DLP policies. For more
information, see
policies in your outgoing mail policies. The appliance scans outgoing messages for DLP policy
violations after the Outbreak Filters stage of the “work queue.” AsyncOS also provides the DLP
Assessment Wizard to guide you through setting up the most popular DLP policies. For more
information, see
The RSA Email DLP scanning engine scans each message, along with its headers and attachments, using
every classifier in the DLP policies enabled in the outgoing mail policy. To scan message headers, the
Cisco IronPort appliance’s content scanning engine prepends the headers to the message body or any
MIME parts that are content, and the RSA Email DLP scanning engine performs a content matching
classifier scan. To scan attachments, the appliance’s content scanning engine extracts the attachment for
the RSA Email DLP scanning engine to analyze.
every classifier in the DLP policies enabled in the outgoing mail policy. To scan message headers, the
Cisco IronPort appliance’s content scanning engine prepends the headers to the message body or any
MIME parts that are content, and the RSA Email DLP scanning engine performs a content matching
classifier scan. To scan attachments, the appliance’s content scanning engine extracts the attachment for
the RSA Email DLP scanning engine to analyze.
After scanning is complete, the RSA Email DLP engine determines if the message violated any of the
enabled DLP policies. If the violation matches more than one DLP policy, the RSA Email DLP engine
chooses the first matching DLP policy listed in the outgoing mail policy in a top-down fashion. You
define the order of the DLP policies in the DLP Policy Manager.
enabled DLP policies. If the violation matches more than one DLP policy, the RSA Email DLP engine
chooses the first matching DLP policy listed in the outgoing mail policy in a top-down fashion. You
define the order of the DLP policies in the DLP Policy Manager.
The RSA Email DLP engine decides how to handle a message by first calculating a risk factor score for
the DLP violation. The risk factor score represents the severity of the DLP violation, ranging from 0 to
100. The RSA Email DLP engine compares the risk factor score to the Severity Scale defined for that
DLP policy. The Severity Scale categorizes the possible DLP violation as one of the following severity
levels:
the DLP violation. The risk factor score represents the severity of the DLP violation, ranging from 0 to
100. The RSA Email DLP engine compares the risk factor score to the Severity Scale defined for that
DLP policy. The Severity Scale categorizes the possible DLP violation as one of the following severity
levels:
•
Ignore
•
Low
•
Medium
•
High
•
Critical
The severity level determines which actions, if any, are taken on the message.
You can use the DLP Incidents report to view information on DLP violations discovered in outgoing
mail. You can also use message tracking to search for messages based on the severity of the DLP
violation.
mail. You can also use message tracking to search for messages based on the severity of the DLP
violation.
•
For more information on DLP email policies and content matching classifiers, see